13275c057816e8a845780f7efc56f71d9eb0d82872fe4f2999a875eed4a24dc1

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1AB13RN57.exe
Size

3.7MB
MD5

8537ab969199b629d5b988e5d9ef23c5
SHA1

1e75f01a1f8bf870db9bf7e47154e9c1022cecf2
SHA256

605e7377b5c4823bb226ee7927ec278dcbfdf6b67877bad19596f52a5d7a68a4
SHA512

59d1f9181219f3afb22e7c4f8c688cdfd10d53624dd23e492d30a5e22bce29a89274674d0cb4d200628c577e6316aee7bce2ceecfc4ae2aa73485b27d6dce4d8
SSDEEP

98304:4gyq8AcevX1LkIJDguXwIOwmJdwNe+zRXuKJkFA013fV6PYC:Fyq8A9vZ/5g8wI+J/yRvkFZ0X

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 9 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

1AB13RN57.tmp

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}	1AB13RN57.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463C-AFF1-A69D9E530F96}	1AB13RN57.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components	1AB13RN57.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}	1AB13RN57.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11D3-B153-00C04F79FAA6}	1AB13RN57.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4340}	1AB13RN57.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	1AB13RN57.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	1AB13RN57.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	1AB13RN57.tmp

Executes dropped EXE 6 IoCs

Processes:

1AB13RN57.tmpencrypt.exeencrypt.exeencrypt.exeusun.exeSunnyDay.exe

pid	Process
2264	1AB13RN57.tmp
2476	encrypt.exe
1852	encrypt.exe
344	encrypt.exe
2620	usun.exe
2724	SunnyDay.exe

Loads dropped DLL 12 IoCs

Processes:

1AB13RN57.exe1AB13RN57.tmp

pid	Process
2052	1AB13RN57.exe
2264	1AB13RN57.tmp
2264	1AB13RN57.tmp
2264	1AB13RN57.tmp
2264	1AB13RN57.tmp
2264	1AB13RN57.tmp
2264	1AB13RN57.tmp
2264	1AB13RN57.tmp
2264	1AB13RN57.tmp
2264	1AB13RN57.tmp
2264	1AB13RN57.tmp
2264	1AB13RN57.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1AB13RN57.tmpusun.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sun2 = "\"C:\\Program Files (x86)\\SunnyDay2\\SunnyDay.exe\""	1AB13RN57.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\usun.exe = "C:\\Users\\Admin\\AppData\\Local\\SunnyDay2\\usun.exe -runonce"	usun.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 6 IoCs

Processes:

1AB13RN57.tmp

description	ioc	Process
File opened for modification	C:\Program Files (x86)\SunnyDay2\SunnyDay.exe	1AB13RN57.tmp
File created	C:\Program Files (x86)\SunnyDay2\predm.exe	1AB13RN57.tmp
File created	C:\Program Files (x86)\SunnyDay2\unins000.dat	1AB13RN57.tmp
File created	C:\Program Files (x86)\SunnyDay2\is-IJADR.tmp	1AB13RN57.tmp
File opened for modification	C:\Program Files (x86)\SunnyDay2\unins000.dat	1AB13RN57.tmp
File created	C:\Program Files (x86)\SunnyDay2\SunnyDay.exe	1AB13RN57.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2252	powershell.exe

Enumerates processes with tasklist 1 TTPs 12 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
1488	tasklist.exe
1556	tasklist.exe
1140	tasklist.exe
1192	tasklist.exe
1576	tasklist.exe
2920	tasklist.exe
2740	tasklist.exe
2300	tasklist.exe
560	tasklist.exe
2508	tasklist.exe
896	tasklist.exe
2376	tasklist.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
1908	taskkill.exe
2828	taskkill.exe

Modifies registry class 2 IoCs

Processes:

1AB13RN57.tmp

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{8FF10FED-2F0A-4F7F-BE87-B04F1DCD4319}	1AB13RN57.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8FF10FED-2F0A-4F7F-BE87-B04F1DCD4319}\AppID = "{2D1F4278-D02C-486E-9CCB-D04349C38FA3}"	1AB13RN57.tmp

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	12	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeusun.exe

pid	Process
2252	powershell.exe
2620	usun.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

powershell.exetaskkill.exetaskkill.exeencrypt.exeencrypt.exeencrypt.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exeSunnyDay.exe

description	pid	Process
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeRestorePrivilege	2476	encrypt.exe
Token: 35	2476	encrypt.exe
Token: SeSecurityPrivilege	2476	encrypt.exe
Token: SeSecurityPrivilege	2476	encrypt.exe
Token: SeRestorePrivilege	1852	encrypt.exe
Token: 35	1852	encrypt.exe
Token: SeSecurityPrivilege	1852	encrypt.exe
Token: SeSecurityPrivilege	1852	encrypt.exe
Token: SeRestorePrivilege	344	encrypt.exe
Token: 35	344	encrypt.exe
Token: SeSecurityPrivilege	344	encrypt.exe
Token: SeSecurityPrivilege	344	encrypt.exe
Token: SeDebugPrivilege	1140	tasklist.exe
Token: SeDebugPrivilege	1192	tasklist.exe
Token: SeDebugPrivilege	560	tasklist.exe
Token: SeDebugPrivilege	2508	tasklist.exe
Token: SeDebugPrivilege	896	tasklist.exe
Token: SeDebugPrivilege	2376	tasklist.exe
Token: SeDebugPrivilege	1576	tasklist.exe
Token: SeDebugPrivilege	2920	tasklist.exe
Token: SeDebugPrivilege	2740	tasklist.exe
Token: SeDebugPrivilege	2300	tasklist.exe
Token: SeDebugPrivilege	1488	tasklist.exe
Token: SeDebugPrivilege	1556	tasklist.exe
Token: 33	2724	SunnyDay.exe
Token: SeIncBasePriorityPrivilege	2724	SunnyDay.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

1AB13RN57.tmp

pid	Process
2264	1AB13RN57.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

usun.exe

pid	Process
2620	usun.exe
2620	usun.exe
2620	usun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1AB13RN57.exe1AB13RN57.tmpcmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2052 wrote to memory of 2264	2052	1AB13RN57.exe	30
PID 2052 wrote to memory of 2264	2052	1AB13RN57.exe	30
PID 2052 wrote to memory of 2264	2052	1AB13RN57.exe	30
PID 2052 wrote to memory of 2264	2052	1AB13RN57.exe	30
PID 2052 wrote to memory of 2264	2052	1AB13RN57.exe	30
PID 2052 wrote to memory of 2264	2052	1AB13RN57.exe	30
PID 2052 wrote to memory of 2264	2052	1AB13RN57.exe	30
PID 2264 wrote to memory of 2160	2264	1AB13RN57.tmp	32
PID 2264 wrote to memory of 2160	2264	1AB13RN57.tmp	32
PID 2264 wrote to memory of 2160	2264	1AB13RN57.tmp	32
PID 2264 wrote to memory of 2160	2264	1AB13RN57.tmp	32
PID 2160 wrote to memory of 2252	2160	cmd.exe	34
PID 2160 wrote to memory of 2252	2160	cmd.exe	34
PID 2160 wrote to memory of 2252	2160	cmd.exe	34
PID 2160 wrote to memory of 2252	2160	cmd.exe	34
PID 2264 wrote to memory of 1676	2264	1AB13RN57.tmp	36
PID 2264 wrote to memory of 1676	2264	1AB13RN57.tmp	36
PID 2264 wrote to memory of 1676	2264	1AB13RN57.tmp	36
PID 2264 wrote to memory of 1676	2264	1AB13RN57.tmp	36
PID 1676 wrote to memory of 1908	1676	cmd.exe	38
PID 1676 wrote to memory of 1908	1676	cmd.exe	38
PID 1676 wrote to memory of 1908	1676	cmd.exe	38
PID 1676 wrote to memory of 1908	1676	cmd.exe	38
PID 2264 wrote to memory of 1804	2264	1AB13RN57.tmp	39
PID 2264 wrote to memory of 1804	2264	1AB13RN57.tmp	39
PID 2264 wrote to memory of 1804	2264	1AB13RN57.tmp	39
PID 2264 wrote to memory of 1804	2264	1AB13RN57.tmp	39
PID 1804 wrote to memory of 2828	1804	cmd.exe	41
PID 1804 wrote to memory of 2828	1804	cmd.exe	41
PID 1804 wrote to memory of 2828	1804	cmd.exe	41
PID 1804 wrote to memory of 2828	1804	cmd.exe	41
PID 2264 wrote to memory of 2476	2264	1AB13RN57.tmp	42
PID 2264 wrote to memory of 2476	2264	1AB13RN57.tmp	42
PID 2264 wrote to memory of 2476	2264	1AB13RN57.tmp	42
PID 2264 wrote to memory of 2476	2264	1AB13RN57.tmp	42
PID 2264 wrote to memory of 1852	2264	1AB13RN57.tmp	44
PID 2264 wrote to memory of 1852	2264	1AB13RN57.tmp	44
PID 2264 wrote to memory of 1852	2264	1AB13RN57.tmp	44
PID 2264 wrote to memory of 1852	2264	1AB13RN57.tmp	44
PID 2264 wrote to memory of 344	2264	1AB13RN57.tmp	46
PID 2264 wrote to memory of 344	2264	1AB13RN57.tmp	46
PID 2264 wrote to memory of 344	2264	1AB13RN57.tmp	46
PID 2264 wrote to memory of 344	2264	1AB13RN57.tmp	46
PID 2264 wrote to memory of 1896	2264	1AB13RN57.tmp	48
PID 2264 wrote to memory of 1896	2264	1AB13RN57.tmp	48
PID 2264 wrote to memory of 1896	2264	1AB13RN57.tmp	48
PID 2264 wrote to memory of 1896	2264	1AB13RN57.tmp	48
PID 1896 wrote to memory of 1140	1896	cmd.exe	50
PID 1896 wrote to memory of 1140	1896	cmd.exe	50
PID 1896 wrote to memory of 1140	1896	cmd.exe	50
PID 1896 wrote to memory of 1140	1896	cmd.exe	50
PID 2264 wrote to memory of 824	2264	1AB13RN57.tmp	51
PID 2264 wrote to memory of 824	2264	1AB13RN57.tmp	51
PID 2264 wrote to memory of 824	2264	1AB13RN57.tmp	51
PID 2264 wrote to memory of 824	2264	1AB13RN57.tmp	51
PID 824 wrote to memory of 1192	824	cmd.exe	53
PID 824 wrote to memory of 1192	824	cmd.exe	53
PID 824 wrote to memory of 1192	824	cmd.exe	53
PID 824 wrote to memory of 1192	824	cmd.exe	53
PID 2264 wrote to memory of 1652	2264	1AB13RN57.tmp	54
PID 2264 wrote to memory of 1652	2264	1AB13RN57.tmp	54
PID 2264 wrote to memory of 1652	2264	1AB13RN57.tmp	54
PID 2264 wrote to memory of 1652	2264	1AB13RN57.tmp	54
PID 1652 wrote to memory of 560	1652	cmd.exe	56

C:\Users\Admin\AppData\Local\Temp\1AB13RN57.exe
"C:\Users\Admin\AppData\Local\Temp\1AB13RN57.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\is-8ELNO.tmp\1AB13RN57.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8ELNO.tmp\1AB13RN57.tmp" /SL5="$401B4,3440317,131072,C:\Users\Admin\AppData\Local\Temp\1AB13RN57.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c taskkill /f /im usun.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im usun.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c taskkill /f /im SunnyDay.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im SunnyDay.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2828
- - C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\encrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\encrypt.exe" x C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\SunnyDay.7z -p1120164302481111481643 -t7z
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\encrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\encrypt.exe" x C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\usun.7z -p1120164302481111481643 -t7z
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- - C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\encrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\encrypt.exe" x C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\predm.7z -p1120164302481111481643 -t7z
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "IMAGENAME eq upfst_*" > "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp/list.bin"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq upfst_*"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "IMAGENAME eq upmbot_*" > "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp/list.bin"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq upmbot_*"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "IMAGENAME eq upgmsd_*" > "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp/list.bin"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq upgmsd_*"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "IMAGENAME eq upospd_*" > "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp/list.bin"
    3⤵
    PID:2192
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq upospd_*"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "IMAGENAME eq upmpck_*" > "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp/list.bin"
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq upmpck_*"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "IMAGENAME eq updpcc_*" > "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp/list.bin"
    3⤵
    PID:2480
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq updpcc_*"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "IMAGENAME eq upoasi_*" > "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp/list.bin"
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq upoasi_*"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "IMAGENAME eq upefas_*" > "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp/list.bin"
    3⤵
    PID:2276
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq upefas_*"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "IMAGENAME eq updimp_*" > "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp/list.bin"
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq updimp_*"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "IMAGENAME eq usun*" > "C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp/list.bin"
    3⤵
    PID:2704
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq usun*"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2300
- - C:\Users\Admin\AppData\Local\SunnyDay2\usun.exe
    "C:\Users\Admin\AppData\Local\SunnyDay2\usun.exe" -runhelper
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Program Files (x86)\SunnyDay2\SunnyDay.exe
    "C:\Program Files (x86)\SunnyDay2\SunnyDay.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq SunnyDay.exe" /FO CSV
      4⤵
      PID:1656
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq SunnyDay.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq usun.exe" /FO CSV
      4⤵
      PID:828
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq usun.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\CheckProc.cmd

Filesize
124B

MD5
a5ef5011aeb674f6360dfc0af436173f

SHA1
d8b9e885db30ce46b701bc8803049b530a633154

SHA256
dd5b12fc961c659a4b7d1b094506d237c2100f82f9750984098b060ab2e1812f

SHA512
a0fbe17acc815528d950ee4436c904381ccd5b0824eef592a985b1e7749ce6f891368dce7bd28087fd057e5671199a757d492611273867a5d5134caf5e04eee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\CheckProc.cmd

Filesize
116B

MD5
138dd9b8f2ad8df4e358ceb213e638ff

SHA1
9fded75c60a9798d9ab7f5808ece6dd72a0bb579

SHA256
b263d73849b11614d3373f39e32f0b4f7b96f4283012037c4f950df2b24e1d7f

SHA512
5fee8d228d2aebf2b29c2ec12cf1a55f3ab805252023122fc20d2c1b79f9d7015b4233b8d5f7f7317ffd00a6b5f046099fcdf2a3f4dbf0e95632eab7e4b5c897

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\SunnyDay.7z

Filesize
1.4MB

MD5
44873ba1264d4f43e60befbd88b77a13

SHA1
54ea2475e04e47d82e6534f8cc10b281de38ad6b

SHA256
de942ec4e1e1447e3424991cbf4d35401b8dd834b78dba679ecba92d403b9650

SHA512
e6b670a4b4c29290daaa763f545f0e43d02f4387f81973bafa04bc5fa5ce34110b52781d514af5395482f165bf7078f7f80cff3b49109b281dc88ab6f59bc103

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\SunnyDay.exe

Filesize
3.8MB

MD5
1d177c8bcc00272e0c93988daf96acd2

SHA1
f31a8dd9a522fa1e3eb72eac0081c3259d2bb239

SHA256
bd8c7cce3affd5ccd381b9e32e87eda82da7bb8bcb49174b264baaf0830a094c

SHA512
8aef65a604061ab70a53c8f24ca0c1ceb73d98a5c5b2486ba2f340027545e457825a5d173f1e75f7c9a9e547cd193c55d635a613f58ebd3fdf0b558c638cea15

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\av.txt

Filesize
24B

MD5
f8f8258012893e0a2c957d226bdd7587

SHA1
ed482b5f912ef2d31e2b231df6b6e3b64967390c

SHA256
c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2

SHA512
6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\ex.bat

Filesize
786B

MD5
4ce2bd7e1cb3fbffb94d4451984f9cb6

SHA1
41757ce3d17955112d347fd5050fc3a88e5e7a0b

SHA256
47e02b83e6ce86a40f41d567067ec3216c1266f4d6e6a3dda509a53ca72f970b

SHA512
840afa85818381624bd19859c5f9002079fa6fbf00933c377099a9151ed1e932ce36b31279df9c41fa7d3031346724fda340a48cbf81e3d37eb248378a9a7cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\list.bin

Filesize
64B

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\predm.7z

Filesize
445KB

MD5
4da649cd8a3b82c54c627834c1ee0d5c

SHA1
9a2fb7b94bcd890052036bd094bfdc1f352d8c1b

SHA256
373e76ad6b6027996892e00bbb417d54505176514c0e033fffa529a55e550afa

SHA512
677c411f86da7b9882e94f29712c88221f7073fb4922cbef9fc0d0a19c7b66fc41b43363a6f5442d1d5cbb5782d6b68106979f9bbb346667a620320ffd689357

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\predm.exe

Filesize
597KB

MD5
d36355d64b755effd1aa5875b0db78b3

SHA1
665cda7dbf0a8ce2725bd1a1630ae7e2540e5057

SHA256
9f3883bea1e73f4e261016a8fa467bd9fd2a253221867049c60972899e608e0c

SHA512
196ba724d1edd25ad33afb740d47cbab5057a5dd95110fa4cec5e1098dea15dfc9c63ae4c9b7a70cce1f2cecf5b5ac2c9effec42906ca91dde1bbdf368d56090

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\usun.7z

Filesize
1.0MB

MD5
8110d88cbf22e1c857de8431ca6ce1f1

SHA1
f892ce079908a138ce616b96f79d508cdfadfe64

SHA256
e457dae73639ae43edc0944a685faa635f95ce840f0a326de70fcd5d61168c8b

SHA512
b88088868dc52f3105efc7b3f6b83d13a9d5dceb25d93efbeab0d822d9e1a3b9f44b3a058710ba6a9f5cf4ad6c61613ea55ffec54f2bd7bb52d3172892e4d664

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-63I76.tmp\usun.exe

Filesize
3.0MB

MD5
6a72fc196ae198b8365a14dd1de8f4e6

SHA1
9ab276cd3760780302155c23e31747ffe0393428

SHA256
47f7326e6e29b0a45af9a423232f000b4ff0eb91ee3500043bb8ad682b4192f0

SHA512
4b4ec9a447fbeb466b7ef776ff0239f1fc49d9e149a9ff19fbb89d6132efb555d24fccec8d5057954be6a4e49cb77eae3256f617d7c4e935d72ea98e7a7ddd3f

Download Submit
\Users\Admin\AppData\Local\Temp\is-63I76.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-63I76.tmp\encrypt.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
\Users\Admin\AppData\Local\Temp\is-63I76.tmp\idp.dll

Filesize
208KB

MD5
436a629d3b9eaf86461b2101aa2c2ad3

SHA1
b8bd79a1b2c47065099ec8d3a2323fb68f83dddc

SHA256
c9bc90ff689b78861ee4e797a06eb9dcb17f42703d24609d7ce8164fc19a9fd9

SHA512
f3b76d9da560c419cc784a5da02a34c95de542a15b08dae28b2490f1da167c9b8157eadad7dc9da6814f725a726b27eacbd746edc7a5649bd842fe7d1d821fca

Download Submit
\Users\Admin\AppData\Local\Temp\is-8ELNO.tmp\1AB13RN57.tmp

Filesize
763KB

MD5
15f4eedb71e2a46e37d1bebcf16f5046

SHA1
4fe009f295517ce6571cd622d8ad0d9a3268eed1

SHA256
6a955d2f59c5b0084068320cb994f2ad795cf64571cb5036ca0081e334f6bd63

SHA512
07300879dc3c19b3982c9bf2ce3db2564344f79d833656c66e54e08e669e39021efab9323463be34a23f1f928ed4bbdc03be5137528cfad9c5f87a20ef83f9db

Download Submit
memory/2052-19-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2052-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2052-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2052-138-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2264-76-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2264-9-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2264-20-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2264-30-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2264-137-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download